Insights into Editorial: Cybersecurity: What India needs to do

Cyber-attacks have grown in terms of sophistication and reach in the recent times. The countries are witnessing growing cybercrime ranging from fraud calls to malwares that bring banking systems to a standstill.

India was one of the worst hit countries by the WannaCry ransomware malware affecting sectors such as banking, finance and manufacturing last year.

Cyberattacks on Estonian networks in 2007, on Georgian networks in 2008, and the Stuxnet attack in 2010 that destroyed the Iranian uranium enrichment centrifuges alerted the world to the reality of cyberwarfare.

Attacks are often anonymous and difficult to attribute to specific actors, state or non-state. Advanced Precision Threats (APTs) carried out by anonymous hackers are often silent and go unnoticed for long periods.

Importance of cyber security:

Cyber security is an important arena of internet when the country is moving forward towards a cashless society and digitization. Till 2013, India did not even have a cyber security policy in place. It is of paramount concern to take cyber security seriously in India with most of the transactions going online and cashless.

Security becomes a challenge as now privacy is a fundamental right as per SC verdict and the rise in cybercrimes can lead to violation of private space and liberty of expression.

Cyber security becomes a vital law of cyber law today. There is need of new tools; capacity building must be done in various departments and a mechanism in place to address these challenges.

The Indian government has embarked on a programme to turn the country into a digital economy. It has unveiled a series of initiatives—from introducing Aadhaar, MyGov, Government e-Market, DigiLocker, Bharat Net, Startup India, Skill India and Smart Cities to propel India towards technological competence and transformation.

Cyber security for Government and Public DATA: Need of the hour:

The government is stepping up authority around cyber security to check the rising menace of financial frauds. Global Conference on Cyberspace was conducted in India for first time where the theme for the conference was Cyber4All: A Secure and Inclusive Cyberspace for Sustainable Development. GCCS was launched with a view to establish internationally agreed ‘rules of the road’ for behaviour in cyberspace and create a more focused and inclusive dialogue between all stakeholders on how to implement them.

GCCS 2017 aims to foster a holistic view of cyber space ensuring not only empowerment of individuals but also enabling the Governments to achieve national goals of sustainable development.

Much like state actors, many companies are developing their own capabilities of going after suspected cyber attackers in what is called ‘hunting’. Such unchecked proliferation of offensive cyber tools and practices can destabilise the entire cyberspace in the absence of any accepted norms of behaviour.

The Indian military needs to make a proper assessment of an offensive cyber doctrine adopted by many countries and undertake action that goes beyond simply the building of defensive capabilities. Offensive cyber response is not limited to states alone.

The international community has been unable to agree on suitable norms of behaviour in cyberspace. In 2013, the UN Group of Government and Experts (UNGGE) had suggested 11norms.

However, implementing them in cyberspace is a difficult task. In a major setback to the process of norms development, the 2015 UNGGE failed to arrive at a consensus. Presently, there are no acceptable norms of behaviour in cyberspace.

In India, it is imperative that cyber networks, software and cyber-physical systems, and platforms should be cyber-secure. This requires a judicious mix of people, policies and technology, as well as robust public-private partnership.

The reliance on imported information and communication technology (ICT) products and our inability to screen them for vulnerabilities is a major cybersecurity risk.

Cyber Deterrence will be the way forward?

Detecting and responding to such cyberattacks is a daunting task. Analysts have been debating whether cyber deterrence, on the lines of nuclear deterrence, can dissuade such attackers.

Cyber deterrence can be of two kinds:by denying attacks (defensive) and by punishment (offensive). Cyber defences are raised so that the attacker is unable to pierce the adversary’s networks. In the latter case, the cyber attacker is assured of a devastating response.

Evidently, neither deterrence by denial nor by punishment works in cyberspace. Attackers are able to bypass the best of cyber defences. For offensive cyber deterrence, it is necessary to identify the attacker with pinpointed accuracy. But attribution is the Achilles heel of offensive cyber deterrence.

Indiscriminate targeting could prove to be more destabilising and counterproductive. Some analysts have argued that for cyber deterrence to hold, the response need not always be in cyberspace. It can be in political, economic or military domains.

The attacker’s assets can be targeted in a kinetic military response. Economic sanctions can be imposed. Irrespective of the problems associated with the efficacy of the concept of cyber deterrence, countries are acquiring offensive capabilities in cyberspace. They are building bits of software called ‘cyberweapons’ that can do enormous damage to the adversary’s networks.

Recent Government Initiatives:

To combat cyber threat, the government is coming up with more cyber security labs.

The government has earlier launched Digital Investigation Training and Analysis Centre (DITAC) to tackle these crimes.

The government launched its first DITAC in Gurugram, Haryana in 2016 in collaboration with National Technical Research Organisation (NTRO). The second one is being set up in Mohali, Punjab.

DITACs will monitor and police cyber-crimes committed through different platforms such as mobile, email, computer and social media platforms like Twitter and Facebook.

Apart from DITACs, the government also established National Cyber Coordination Centre, an operational cyber security and e-surveillance agency in India.

National Informatics Centre opened the fourth new data centre in Bhubaneswar, the second largest after the one in New Delhi, recently.

Conclusion:

Most of the Indian banking industry and financial institutions have embraced IT to its full optimization. Reports suggest that cyber-attacks are understandably directed toward economic and financial institutions. With innovative, technology led programmes such as AADHAAR, MyGov, GeM, Digital Locker the new India is the land of technological prowess and transformation.

Government and the private sector jointly have to give cyber security some priority in their security and risk management plan.

Cyber awareness must be spread and there should be multi-stakeholder approach- technological inputs, legal inputs, strengthening law enforcements, systems and then dealing with transborder crime involves lot of international cooperation.

Way Forward:

Institutions such as the National Cybersecurity Coordinator (NCC), National Technical Research Organisation, Computer Emergency Response Team and the National Cyber Security Coordinator Centre are all doing a reasonable job. But they suffer from the lack of skilled manpower and proper coordination.

The existing National Information Board (NIB), headed by the National Security Adviser (NSA), duly empowered, can play the role of an apex body in India.

NCC, set up in 2015 as a part of the National Security Council Secretariat, should be strengthened to bring about a much-needed synergy among various institutions and to work out a coordinated approach to cyber security, including cyber deterrence.